Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
0
Helpful
5
Replies

ASA ACLs

Go to solution
xayavongp
Level 1
Level 1

‎08-08-2012 12:56 PM - edited ‎03-11-2019 04:39 PM

I would like to add an extended ACL line (in order to use objects) to an existing named standard ACL. I think this should be possible ?

access-list <name1> standard permit <  >

access-list <name1> extended permit < > < >

access-list <name1> standard deny any

Would I also need to add an extended deny ip any any for it to process the extended lines at the end ? I assume the standard can but won't look at destination ?

Thanks in advance,

Pete

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
riderfaiz
Level 1
Level 1

‎08-09-2012 10:52 AM

Hi Xayavonqp

I am not very good at ACL but my work needs it Jennifer is right... you cannot have standard and extended together in a same ACL set.

If you want to add some entries to a current acl...what I would do usually is:

1.) Do a "show access-list (acl name or number). And copy them on a notepad or so.

2.) In the ACL List, you will see line numbers for each entry... This may be important if you want which acl entry prior to reach first...as you know the cisco device read and analyze each entry one by one by the orders. Remember, the implicit is always deny any any at the end of any acls.

3.) Create a entry with the line number (eg:access-list name line 50 extended permit tcp any host.....)

4.) The entry you add would not over written the same numbe of line (for example in this case is 50), instead those current entries would be put down one more (like adding a row in Excel in a table, in this case, the original entry line number with 50 now will turn to be 51, and the new one you add will be line 50).

Personally...to review access list on a fw, I like to use GUI...as it is easier to review and modify if you have over hundred and hundred lines there.

I hope you understand what I tried to say Good luck!

Takami chiro

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-09-2012 06:01 AM

You can't have the same ACL with both standard and extended line in it.

Where do you assign the access-list?

To answer your question, you don't need to configure "deny any" or "deny ip any any" because at the end of the access-list, there is an implicit deny, so you don't need to explicitly configure "deny any" or "deny ip any any.

0 Helpful

Go to solution
xayavongp
Level 1
Level 1
In response to Jennifer Halim

‎08-09-2012 06:58 AM

Can you point me to a document or reference? This ACL is a multicast boundary ACL.

The exisiting ACL is standard. So if this is true I would need to make that all extended since I can't mix standard and extended ACL. It would easier (with objects) to have 4 lines versus 30 lines in the ACL.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to xayavongp

‎08-09-2012 09:12 PM

what device are you configuring the acl on, and what is the version of the device?

0 Helpful

Go to solution
riderfaiz
Level 1
Level 1

‎08-09-2012 10:52 AM

Hi Xayavonqp

I am not very good at ACL but my work needs it Jennifer is right... you cannot have standard and extended together in a same ACL set.

If you want to add some entries to a current acl...what I would do usually is:

1.) Do a "show access-list (acl name or number). And copy them on a notepad or so.

2.) In the ACL List, you will see line numbers for each entry... This may be important if you want which acl entry prior to reach first...as you know the cisco device read and analyze each entry one by one by the orders. Remember, the implicit is always deny any any at the end of any acls.

3.) Create a entry with the line number (eg:access-list name line 50 extended permit tcp any host.....)

4.) The entry you add would not over written the same numbe of line (for example in this case is 50), instead those current entries would be put down one more (like adding a row in Excel in a table, in this case, the original entry line number with 50 now will turn to be 51, and the new one you add will be line 50).

Personally...to review access list on a fw, I like to use GUI...as it is easier to review and modify if you have over hundred and hundred lines there.

I hope you understand what I tried to say Good luck!

Takami chiro

0 Helpful

Go to solution
xayavongp
Level 1
Level 1
In response to riderfaiz

‎09-06-2012 01:58 PM

Sorry for the late replies but I just went ahead and converted it all to extended ACLs.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card